Cyber Hygiene
Security Risks From Employees Working From Home
Audits Don't Solve Security Problems
Is 'Discover, Classify, Protect' Wrong In Cybersecurity Today?
Breadth Vs. Depth: Cybersecurity Industry Has Been Focusing On The Wrong Thing
Third Party Vendors
The Rise Of DASB, Sunset Your DLP
AWS Source Code Leak
End Source Code Theft
Why Isn’t DLP Preventing Data Breaches?
SecureCircle Data Access Security Broker (DASB) Selected By Quanta Storage To Eliminate Insider Threats
Organizations Should Bulk Up Cybersecurity In Case Of Iranian Cyber Attack
The Evolution of Data Protection
Ransomware stealing data before encrypting
Insider Threats Infographic
Who collected 4 billion records on 1.2 billion users?
Cisco Systems - Target of Malicious Insiders
New Yorks SHIELD Act
Insider Threat at Lion Air (Update)
How to Prevent the Lion Air Databreach
CIO IT Taiwan | SecureCircle 控管檔案讀取 權不怕合作生變造成洩密
How to Prevent the Mastercard Data Breach
Capital One Hacker Breached 30 Companies Through a Single Cloud Provider
Government Organizations Are Not Ready for Cyberattacks
How to Prevent the Boeing Data Leak
End Insider Threats Without Impacting Users Or Business Workflow
Singapore Overhauling Data Protection Practices
SecureCircle available on Taiwan Government CloudMarketplace
SecureCircle placed on UK Government Framework Catalogue
The New Federal Data Strategy
SecureCircle announces United Kingdom and EMEA Distributor, Care21
Quest Diagnostics and LabCorp in Trouble
Insider Threat in the Air Force
Disruptor Daily | What trends are shaping cybersecurity in 2019?
Disruptor Daily | What is the future of cybersecurity? Experts share their insights
How to Combat the Business Email Compromise Scam
How to Prevent Government Data Breaches
Availability Bias in Cybersecurity
How to Minimize Your Exposure to Employee Mistakes
A Look Inside Toyotas Second Data Breach
Four Keys to Data-Centric Data Protection
Asymmetric Information Causes Data Breaches
SecureCircle Introduces Send Secure for Agentless Protected Data Sharing
The Financial Consequences of a Data Breach
Insider Threats Can Happen to Anyone
Federal Data Privacy Laws Are Coming
Forget Collection 1: Here comes Collections 2-5
Forbes | 10 Industries On The Cusp Of Technological Disruption
Collection 1: Not a Big Deal?
It All Adds Up: Better Cybersecurity is a Necessity in 2019
Why New Year Resolutions Fail
9 Costly Security Mistakes
Security InfoWatch | The Last Mile Security at the Edge
2019 Security Predictions(Infographic)
Security Today | Rethinking Access Control
We love what we do - 2018 Review (Infographic)
Holiday Hacks Are Not Going Away
Solving Multi-Cloud Security
A better solution than web bugs for internal visibility
Why File Encryption is not enough - A Customer Conversation
Security, Visibility, and Control
SecureCircle Introduces Enhanced Cybersecurity Offering for Cloud-First Enterprises
Healthcare Needs a Change
What is old is new: Cold Boot Attacks
Inside Information - Data that should NEVER leave the organization
CTimes | SecureCircle and Netbridge Distribution Partnership (Chinese)
SecureCircle Announces Asia Pacific Distributor, NetBridge Technologies
Insider Threats
CSO | The hidden security problem we all need to know about
Opt-Out is more than blocking SPAM
What is Opt-Out Data Centric Protection? And why is it so important
Digital Hygiene in a GDPR World
Security Info Watch | Enterprises Beware: Cybersecurity Challenges in the Cloud
GDPR Readiness (Infographic)
The Lost Laptop
Strategic Finance | Security in a World of Zero Trust
Reading Between the Lines - The Real Impact of Insider Threat (Infographic)
Protecting Internal Data
Press & News Embargos
CSO | GDPR: Where are we now?
SecureCircle @ CIAB FEBRABAN, Sao Paulo Brazil - The Recap
California Consumer Privacy (The next generation of GDPR)
I am safe. My data is encrypted. Right?
University of Texas MD Anderson Cancer Center ordered to pay $4.3 million in HIPAA violations
Is my Air Gapped Computer Safe?
The Broken 80/20 Rule
SecureCircle and Fiandeira Tecnologia Showcase Unstructured Data Solution at CIAB FEBRABAN
SecureCircle will be exhibiting at CIAB Sao Paulo Brazil June 2018
Throw Tech Away - The Rise of a New Generation of Data Security
GDPR Compliance Tips: The Top Experts Speak
Are you ready for a password-less world?
CSO | The Impact of Human Behavior on Security
Account compromised? What about your file content?
Age old discussion: Convenience versus Security
SDxCentral | Four Security Myths You Need to Shake
Security Today | Digital Security in a Zero Trust World
MegaMinds AIthority Interview with Jeff Capone
2018 Govies Awards
Data Protection needs to be agnostic like Switzerland

Securing Source Code on Endpoints - White paper

Written by 
SecureCircle
 | 
October 29, 2020

Securing source code from loss or theft has historically been challenging due to the lack of security options available to deliver effective security without impacting developer productivity. For many businesses, their source code is an extremely valuable asset yet to enable productivity it has to be copied onto developer endpoints in plain text formats, making it difficult to keep this valuable asset secured and monitored.

SecureCircle’s Data Access Security Broker (DASB) is a simple and reliable security architecture that enables customers to secure source code on the endpoint without impacting developers from doing their job. DASB protects against both insider threat and accidental data loss without constraining developers to a particular IDE or build tools.

When deployed in a best practice configuration, SecureCircle can secure source code on endpoints without development teams needing to change how they operate or interact with code, IDEs, and development tools. This focuses on SecureCircle best practices for securing source code in development environments.

High-level architecture


The most common approach to managing and working with source code is to leverage one or more code repositories that are considered the source of truth for a given development project. The code repositories provide functionality that simplifies managing various versions of code, branches, and releases.

In development environments, it is common practice for developers to copy code onto their endpoints (Mac/PC/Linux) using a pull request or checkout process. This checkout or pull operation allows developers access to move code directly to their local endpoint for the fastest and most reliable development experience when working with code.

SecureCircle ensures source code is persistently encrypted when it moves to the developers’ endpoint without impact to developers and their tools so businesses always remain in control of their source code regardless of where the code resides.


Securing source code on the endpoint

When SecureCircle has been configured to best practice, source code is secured as it moves from the code repository to developer endpoints. Specifically, the client process (e.x. git, svn) on the developers’ system is configured as a Secure Process. When the Secure Process copies or writes source code files to the developer endpoint, the SecureCircle agent ensures the source code within the files is encrypted at all times and remains secured even in-use.


An additional layer of security recommended by SecureCircle is to use SSH as the transfer protocol for any pull requests from the code repository. Not only will this ensure source code is encrypted in transit, but it also allows an added layer of security by allowing the private SSH key file on developers’ endpoints to be managed by SecureCircle. By securing the key with SecureCircle, access to both the source code on the endpoint and access to the repository over the network can be revoked when disabling a user or device. When access to the code is revoked, it can no longer be read on the endpoint by any process. Similarly, the endpoint will no longer be able to make requests to the repository, as the SSH key that grants access to the code repository is also unreadable. All secured source code on developer endpoints is monitored. When the applications and process attempt to access the source code, the attempted actions can be logged in a SIEM for further analysis.


Allowing access to source code on the endpoint


Source code within files that have been checked out by an approved developer on an approved endpoint, by an approved process, are always kept in an encrypted state. Not only is the code always encrypted, only approved IDEs and compilers are granted access to the code within the file other processes on the developers’ endpoint can’t access the plain text version of source code unless explicitly approved.


When an approved IDE opens source code, it reads plain text yet the file is never decrypted. However, the source code is kept within the IDE and other approved processes, such as alternate IDEs. Compilers can also be approved applications and read plain text within the secured file so that compiled code can be successful without any change to the developers’ normal workflow or changes to the build tools.


In general, when processes that consume data run on the endpoint they are either considered an Allowed Process that grants permission to read the content within files or a Denied Process, in which case they are forced to read the encrypted version of the bytes. Transport tools such as windows explorer, Mac Finder, email clients, and file sync clients (e.g. Dropbox) are all recommended to be Denied Processes, which means these processes can transport secured files but never read the plain text contents.

Securing source code within the clipboard


It is common to use the clipboard in the operating system to move data from one location to another. In source code development, the ability to copy and paste is an important tool for productivity. With SecureCircle, developers are free to copy and paste within and between Allowed Processes. However, if a developer attempts to paste code from an Allowed Process to a Denied Process, the operation will be blocked. By controlling copy and paste in this way source code can be blocked from being exfiltrated into unapproved applications and processes that are considered high risks, such as email clients or web browsers.


Securing newly created and derivative source code
When new source code files are created, they can either be secured by default, as part of a Secure Process, which secures every new file created or they can be secured based on the content of the code being a derivative of source code that was previously secured by SecureCircle.


By enabling Secure Derivative, similarities within data across files will be detected. When a new file is created with similar contents to an existing file, it will be automatically secured with the same policies as the original file and transparently encrypted to allow the security to move with the data. When source code is copied from one file to another within an Allowed Process, Secure Derivative ensures the file that receives that code will inherit the security of the file that contained the original code.


Checking source code into the repository
When checking code back into the code repository, the process on the developer endpoints can be set as an Allowed Process, which removes the encryption from the bytes within the source code as it is sent to the code repository. The source code files are encrypted in transit through SSH but are then stored in plain text format within the source code repository, which allows standard server-side tools within the code repository to continue to operate as expected. When a developer checks out the code in the future, it will be secured as per the original method described above. SecureCircle recommends that security controls be implemented on the repository to complement the code workflow described in this whitepaper.

Revoking access to source code


In the event that access to source code needs to be revoked, SecureCircle allows the ability to disable access to source code on endpoints by user, group, or device.


When access to data is disabled, the data is no longer accessible to the user, group or device implicated, regardless of where the data resides. Attempts to access the source code on a device that had access revoked will be denied and these attempts will be logged. Additionally, the ability to copy source code from the repository will also be revoked as the SSH private key file will no longer be accessible to the clone process on the developers endpoint. Removal of access to source code can be effective within seconds based on the configuration of time to live (TTL) settings within the SecureCircle service. Finally, access to any additional copies or derivatives will also be revoked even in the event they were copied onto removable media.

Conclusion
SecureCircle allows businesses to create workflows that automatically secure data as it moves to endpoints. By deploying SecureCircle source code is encrypted within files as they are pulled out of source code repositories with no impact to developers or the tools they use. Source code is always kept in an encrypted state, and only approved applications can access and modify the plain text code. Access to source code can be revoked at any time, regardless of where the secured source code files are being stored. Keeping data encrypted within any type of file without impacting developers or developer tools is what makes this approach to source code security unique. At SecureCircle, we believe that frictionless data security drives business value for our customers by providing persistent protection against
accidental exfiltration and insider threat. For more information on how we approach data security, please visit our website www.securecircle.com.

Download whitepaper : Securing Source Code on Endpoints

Prevent Data Breaches

Let’s discuss your unique cybersecurity challenges and needs.

Contact Us

If you want to notified when we post the newest content about mitigating insider threats, data breaches, protecting source code, and DASB, please subscribe to our SecureCircle newsletter.

Share: